Review for Source Package: flexcache
[Summary]
A pretty simple and clear case, in my judgement not even requiring security
review => MIR team ACK
List of specific binary packages to be promoted to main: python3-flexcache
Specific binary packages built, but NOT to be promoted to main: n/a
Notes:
- none, left some comments in between while checking. But since none ended up
requiring an action those are not required to be read.
- This whole context also waits on another MIR in bug 2089037, no need
to act yet
Required TODOs:
- none
Recommended TODOs:
- It is intended but did not yet happen, please remember that the package
needs to get a team bug subscriber before it can be promoted
[Rationale, Duplication and Ownership]
There are many like python3-memoize or python3-beaker and I'm sure there are
others. To some extend you could say that the stdlib @lru-cache decorator
is doing something quite similar, but not exactly the same. I think There
is no other package in main providing the same functionality.
A team is committed to own long term maintenance of this package.
The rationale given in the report seems valid and useful for Ubuntu. And the
package is small and not too complex, so it shouldn't be a huge burden.
[Dependencies]
OK:
- no other Dependencies to MIR due to this (uses python3-typing-extension which
is already in main)
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (I checked a bit deeper, but all that really
matters is actually e.g. pickle from stdlib, not this code in flexcache)
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features (it is TBH not doing much more than remembering
what is loaded, IMHO holding the same bar we apply elsewhere that can go
without extra isolation which would be better at the level of application
that uses it anyway)
Problems: None
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest (uses
autopkgtest-pkg-pybuild to run the same in that context)
- This does not need special HW for build or test
- no new python2 dependency
- Python package, but using dh_python
Problems: None
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok
- Upstream update history is good, but rather new
- Debian/Ubuntu update history has not enough track record to judge
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems: None
[Upstream red flags]
RULE: flag common issues:
RULE: - if you see anything else odd, speak up and ask for clarification
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user nobody
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (lib only)
Problems: None
** Changed in: flexcache (Ubuntu)
Status: New => Fix Committed
** Changed in: flexcache (Ubuntu)
Assignee: Christian Ehrhardt (paelzer) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2089036
Title:
[MIR] flexcache
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flexcache/+bug/2089036/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
